Exploit Found – composer.phar

Home Forums BulletProof Security Pro Exploit Found – composer.phar

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • March 31, 2024 at 3:36 am #43694
    Ian
    Participant

    Hi,

    Bulletproof has not reported or quarantined this file but our webost scanner is reporting that composer.phar is malware.

    Exploit Found – php.sh.dev.null

    Any ideas on what I should do please?

    the location reported is

    ***********************.com/public_html/wp-content/bps-backup/autorestore/wp-content/upgrade-temp-backup/plugins/sunshine-digital-downloads/vendor/grandt/relativepath/composer.phar

    March 31, 2024 at 4:10 am #43695
    Ian
    Participant

    Hi,

    It’s not blocking anything, it appears to have not detected the file is damgerous, well dangerous according to the web hosting virus scanner.

    Thanks,

    March 31, 2024 at 7:30 am #43697
    AITpro Admin
    Keymaster

    composer.phar is the name of a php archive file for Composer >  https://getcomposer.org/doc/00-intro.md. Sunshine Digital Downloads appears to be an add-on for the Sunshine Photo Cart plugin. The reason I am explaining this is that composer.phar is usually installed in a protected server folder like /bin. It should not be in a plugins folder. So my guess is either the Sunshine Photo Cart is a hacker plugin/nullled plugin or the Sunshine Photo Cart plugin comes with the composer.phar file to declare additional libraries.

    It is quite possible the composer.phar file is a hacker file and it has been modified.

    To delete the composer.phar file from AutoRestore backup > go to BPS Pro > AutoRestore > under wp-content Files > click the Delete Backup Files button > then click the Backup Files button.

    March 31, 2024 at 7:39 am #43698
    AITpro Admin
    Keymaster

    I think WPSunshine is using Composer to install their add-on plugins. For reference > here is an example tutorial on how to do that > https://support.platform.sh/hc/en-us/community/posts/16439679495314

    April 3, 2024 at 1:35 am #43702
    Ian
    Participant

    Hi,

    The developer has confirmed the following:

    The file “sunshine-digital-downloads/vendor/grandt/relativepath/composer.phar” did exist in the previous Sunshine 2 version of the Digital Downloads add-on.

    This is the current file structure for the plugin: https://share.cleanshot.com/CfczJtSk

    In the “vendor” folder, there is no “grandt” folder like explained in the security report you have. It’s possible your backup system is merging the old Sunshine 2 version of folders/files with the newer Sunshine 3 version for the Digital Downloads add-on. I’m not sure – I have never seen or heard of that system which is used on your site so I don’t understand how it works.

     

     

    April 3, 2024 at 4:15 am #43703
    AITpro Admin
    Keymaster

    Ok so nothing to worry about then.  This is/was a legitimate file and your web host scanner detected a false positive.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.